Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to ensure a user's email is verified before they can sign in - needs feathers-authentication changes

See original GitHub issue

Original bug report by @IBwWG

OK, so, as a newcomer, I really am not sure where exactly this issue fits into this repo, but @eddyystop is pretty involved here so I’m taking his word for it. 😃 (Original issue is at https://github.com/eddyystop/feathers-starter-react-redux-login-roles but I’m assured that it’s not about that repo.)

Steps to reproduce

git clone https://github.com/eddyystop/feathers-starter-react-redux-login-roles/
npm install
npm start
curl -X POST -H “Content-Type: application/x-www-form-urlencoded” -H “Cache-Control: no-cache” -H “Postman-Token: 95cf199c-f038-c893-7053-a8a09fbef2ca” -d ‘name=i have a name&username=nammmmmmmmmmme&password=what the hey&confirmPassword=what the hey&email=yes@no.why’ “http://localhost:3030/users”
curl -X POST -H “Content-Type: application/x-www-form-urlencoded” -H “Accept: application/json” -H “Cache-Control: no-cache” -H “Postman-Token: 018a022f-bf1b-7e4f-cf11-db40a5fce490” -d ‘email=yes@no.why&password=what the hey’ “http://localhost:3030/auth/local”

Expected behavior

Failure, since I never verified with the “e-mailed” token. (i.e. I didn’t use the link that appears in the console at step 4.)

Actual behavior

Success and JWT token given via JSON. If you scrap the Accept header in step 5, you get a similar result served up in HTML.

System configuration

This is happening both on a Windows box and a Linux box am I testing on.

Module versions (especially the part that’s not working):

feathers-authentication 0.7 feathers 2.0.3

NodeJS version:

Windows: node 7.3.0 Linux: node 6.9.2

Operating System:

Windows: 7x64sp1 Linux: Mint 17.3 (32-bit)

Module Loader:

see https://github.com/eddyystop/feathers-starter-react-redux-login-roles

I think the main issue is around documentation or we should have a hook that someone can use to ensure that an email exists and has been verified. Currently the way I see this working is a hook after auth.hooks.authenticate or it is a custom verifier for feathers-authentication-local that upon looking up the user by email also ensures that the email has been verified.

Issue Analytics

State:
Created 6 years ago
Comments:14

Top GitHub Comments

2reactions

danlupascucommented, Nov 4, 2018

I don’t know if you still need help with this issue but the solution is very simple: add the isVerified hook in the before hook of authentication service.

Example: (You only need to add two lines to this service)

// Your imports
// !!! Import the verification hooks
const verifyHooks = require('feathers-authentication-management').hooks;


// src/authentication.js
module.exports = function (app) {
  const config = app.get('authentication');

  // Set up authentication with the secret
  app.configure(authentication(config));
  app.configure(jwt());
  app.configure(local());

  app.configure(oauth2(Object.assign({
    name: 'google',
    Strategy: GoogleStrategy
  }, config.google)));

  app.configure(oauth2(Object.assign({
    name: 'facebook',
    Strategy: FacebookStrategy
  }, config.facebook)));

  // The `authentication` service is used to create a JWT.
  // The before `create` hook registers strategies that can be used
  // to create a new valid JWT (e.g. local or oauth2)
  app.service('authentication').hooks({
    before: {
      create: [
        authentication.hooks.authenticate(config.strategies),
        verifyHooks.isVerified() // !!! Add the isVerified hook before authentication
      ],
      remove: [
        authentication.hooks.authenticate('jwt')
      ]
    },
    after: {
      create: [
        context => {
          // Add the user to the result response
          context.result.user = context.params.user;
          // Don't expose sensitive information.
          delete context.result.user.password;
        }
      ]
    }
  });
};

0reactions

eddyystopcommented, Nov 10, 2018

I believe the all issues here have been addressed. If you have any new comments please make them in authenticate-local-management rewrite.

Full details on the rewrite are posted to https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md